Website Lockdown: Protect Your Site from Hackers

If hackers can get into US Military social media accounts, how can you possibly protect your website from malicious attacks?

If a hacker is determined enough and has enough computing resources, he will get in. It’s like protecting your home. You can install dead-bolts, steel security doors and alarms, but if someone drives a tank through the door, you will probably be under protected. Protecting your business website is mostly about basic and intermediate-level protection that will make your site a less attractive target to hackers.

Since 2009, businesses were targeted in 61.2% of hacking attacks and consumers’ personal data was the target in almost 90% of attacks.

Basic Protection

Basic protection consists of simple Do-It-Yourself and common sense measures.

Using desktop terminals that are networked to a central computer server reduces the number of data theft opportunities.

For maximum security you should purchase terminals that do not have USB /Bluetooth connectivity or optical drives.

A Bring Your Own Device (BYOD) policy is also not good for data security because you have no control over security that individuals use (or don’t use) on their phones and tablets. The capital savings are negligible compared to the risk that such a policy poses to your company security. Employees will try to store company files on their tablets to work on at home; some will be left in cars and stolen and others will be lost or lent to teenaged children to use.

Passwords

Most people still use easy-to-remember passwords. Many use the same password on all their logins for years at a time without ever changing it. If you allow weak passwords on your network then you are likely to be attacked through account hijacking.

You need to enforce a strong password policy where users are made to change passwords at frequent intervals. Forbid the writing down of passwords either in mobile devices or on paper and make the consequences for individuals who break this rule clear. You will need an automated system of issuing users with fresh passwords when they have forgotten them, but that is a small price to pay to protect your data.

Virus Protection

You need enterprise-level virus protection on all your computers and mobile devices. This will allow your network administrator to confirm that all devices are updated and to identify any threats quickly.

Professional Protection

Professional security goes far beyond the DIY options above but is essential to any business that wants to avoid being slated in the press over a future security breach.

Network Security

Permission to add a device to your network should be available only from the administrator. There should be no automatic, user-driven system.

As an example, Incapsula’s WAF is a good representation of “security from the cloud”, which is one the latest advancements in application security technology. Such services can effectively protect your web-server from the threats in the above diagram, from malware injections to DDoS attacks. These modern WAF’s are offered as plug-and-play services, which are compatible with any website and web application. They also offer extra features such as customizable security rules, auto certification (e.g., PCI compliance) and dashboards that help you track attacks in real time.